I'm working on connecting a public API Gateway to an internal combination of NLB and ALB via a VPC Link, and I need to ensure that traffic is encrypted all the way from the API Gateway through to my resource provider. I'm considering using a private CA for my backend resources, but I read that API Gateway won't trust it without using insecureSkipVerification, which I'd like to avoid. One idea I had was to create a public certificate and use it alongside a private hosted zone with the same domain. Does anyone have suggestions or best practices for this setup?
3 Answers
Absolutely, stick with public certs if you want to avoid enabling insecureSkipVerification. All that option does is tell the API Gateway to ignore any trust issues with untrusted certificates. Remember, you control the last part of this communication—linking AWS API Gateway to your VPC via VPC Link. Keeping it simple with a public certificate from a CA trusted by AWS API Gateway is the easiest and cleanest route, in my opinion.
Using a public certificate is definitely a solid option! There's really no issue with going that route. You might not even need a private hosted zone, just a public one will suffice.
Why not take a multi-cloud approach? Using Oracle API Gateway could work, as it supports private CAs. You would just need to set up an interconnect between Oracle Cloud Infrastructure and AWS to access your AWS internal ALB from the OCI API Gateway. It might seem overkill, but then you'd be leveraging the best services from different cloud providers!
Haha, I didn't see this comment soon enough to be the first to laugh. The downvotes are confusing, this is hilarious!
This might be the funniest suggestion I've seen in a while! But hey, if it solves the problem, who cares?